<div dir="ltr"><br><br><div class="gmail_quote">On Fri Feb 13 2015 at 2:02:27 AM Colin Walters <<a href="mailto:walters@verbum.org">walters@verbum.org</a>> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On Thu, Feb 12, 2015, at 01:32 PM, Stephen Gallagher wrote:<br>
<br>
> tl;dr Shall we consider requiring a lesser package review for packages<br>
> that are not present on Product or Spin install media?<br>
<br>
It's worth noting here that having two levels is not really going<br>
to be new to the ecosystem; e.g. Ubuntu has had Main/Universe<br>
for quite a while:<br>
<a href="https://help.ubuntu.com/community/Repositories/Ubuntu" target="_blank">https://help.ubuntu.com/<u></u>community/Repositories/Ubuntu</a><br>
<br>
I just have one question: You're defining this split at the *runtime*<br>
level. Last I saw the Base working group was trying to cut down BuildRequires<br>
(but sadly I haven't seen them fighting Requires yet - I would love<br>
if someone did that for Perl)<br>
<br>
If Ring 0 packages BuildRequire Ring 1 (or further)<br>
packages, ultimately their quality is going to be somewhat contingent<br>
on them. Using bundling as a differentiator though, it does seem<br>
like there's likely a lot less pressure to require quick security<br>
updates for BuildRequires.<br>
<br>
Anyways, something I think is missing from here is more<br>
details on how this "on the install media set" distinction<br>
is maintained over time. If it isn't separate (yum) repositories<br>
it seems like it's going to be hard to enforce.<br>
<br>
(Who would notice if a package in 0 started depending on a ring<br>
1? Would that imply the new dependency needed another<br>
review pass?)<br></blockquote><div><br></div><div>Having bumped into bundled library issues in the past, this to me sounds like a good idea... provided exclude libraries at the beginning.</div><div><br></div><div>So: this should only leaf packages, plus applications that happen to have add-on packages that depend on them, and only those that are not Ring 0 (not shipped in one of the install media).</div><div><br></div><div>A nice alternative is to use the staging area we talked about for this Ring 1 category.</div><div><br></div><div>Best regards,</div><div><br></div><div>-- </div><div>Michel</div></div></div>